Fix CSP for Vue, Ace, Vite, Safari compatibility

Relax Content Security Policy (CSP) to ensure essential functionality of Vue, Ace and Vite legacy along with functioning developer experience with macOS Safari.
2023-12-17 18:08:23 +01:00
parent 3f62bb2d6e
commit 940febc3e8
1 changed files with 10 additions and 2 deletions
--- a/src/presentation/index.html
+++ b/src/presentation/index.html
@@ -10,16 +10,24 @@
    content="Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it." />
  <link rel="icon" href="/favicon.ico">
-  <!-- Security meta tags based on OWASP recommendations, see https://owasp.org/www-project-secure-headers/ci/headers_add.json -->
+  <!--
    Security meta tags based on OWASP recommendations.
    See https://owasp.org/www-project-secure-headers/ci/headers_add.json for all recommended policies.
    Exceptions:
      - [+] `style-src 'unsafe-inline'`   : Required for Vue.
      - [+] `img-src data:`               : Required for Ace (code editor) CSS.
      - [+] `script-src: 'unsafe-inline'` : Required for Vite legacy (@vitejs/plugin-legacy) for production builds.
      - [-] `upgrade-insecure-requests`     : Required for development on macOS Safari or Safari will block requests on `http://localhost`.
  -->
  <meta
    http-equiv="Content-Security-Policy"
    content="
      default-src 'self';
      script-src 'self' 'unsafe-inline';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data:;
      form-action 'self';
      object-src 'none';
      upgrade-insecure-requests;
      block-all-mixed-content;
    "
  >